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Description 

[0001 ] This invention relates to methods and appara- 
tus for encrypting a set of message signals, and to 
methods and apparatus for decrypting a set of message 
signals. 

[0002] In conventional telephony each telephone set 
(fax unit, modem, etc) is physically connected to a 
unique port on a switch at a local centra) office. The con- 
nection is through a dedicated wire, or through a desig- 
nated channel on a dedicated wire. The wire connection 
is installed by the service provider (who, typically, is the 
common carrier) and, therefore, the service provider 
can be reasonably sure that transmission on the chan- 
nel arrives from the subscriber. By comparison, authen- 
tication of a subscriber in wireless telephony is less 
certain. 

[0003] Under the current cellular telephony arrange- 
ment in the United States, when a cellular telephone 
subscriber places a call, his or her cellular telephone 
indicates to the service provider the identity of the caller 
for billing purposes. This information is not encrypted, tf 
an interloper eavesdrops at the right time, he or she can 
obtain the subscriber's identification information. This 
includes the subscriber's phone number and the elec- 
tronic serial number (ESN) of the subscriber's equip- 
ment. Thereafter, the interloper can program his or her 
cellular telephone to impersonate that bona fide sub- 
scriber to fraudulently obtain services. Alternately, an 
interloper can inject himself into an established connec- 
tion, overpower the customer's cellular telephone equip- 
ment by transmitting more power, and redirect the call to 
his or her purposes by sending certain control codes to 
the service provider. Basically, such piracy will succeed 
because the service provider has no mechanism for 
independently authenticating the identity of the caller at 
the time the connection is established and/or while the 
connection is active. 

[0004] Technology is available to permit an eaves- 
dropper to automatically scan all of the cellular frequen- 
cies in a given cell for such identification information. 
Consequently, piracy of cellular telephone services is 
rampant. Also, the lack of enciphering of the speech sig- 
nals lays bare to eavesdroppers the content of conver- 
sations. In short, there is a clear and present need for 
effective security measures in the cellular telephony art, 
and that suggests the use of cryptology for the pur- 
poses of ensuring authentication and privacy. 
[0005] Several standard cryptographic methods exist 
for solving the general sort of authentication problem 
that exists in cellular telephony, but each turns out to 
have practical problems. First, a classical chal- 
lenge/response protocol may be used, based on a pri- 
vate key cryptographic algorithm. In this approach, a 
subscriber's mobile station is issued with a secret key 
which also known by the home system. When a serving 
system wishes to authenticate a subscriber, it applies to 
the home system for a challenge and a response to use 



with the given subscriber. The home system composes 
a random challenge and applies a one-way function to 
the challenge concatenated with the subscribers key to 
obtain the corresponding response. The challenge and 

5 response are supplied to the serving system, which 
issues the challenge to the mobile station. The mobile 
station in turn replies with the response, which it calcu- 
lates from the challenge and from its stored secret key. 
The serving system compares the responses supplied 

w by the home system and by the mobile station, and if 
they match, the mobile station is deemed authentic. 
[0006] The problem with this approach is that often the 
serving system is unable to contact the home system 
quickly enough to allow authentication of a call setup, or 

is that the database software on the home system is una- 
ble to look up the subscriber's secret key and compose 
the challenge/response pair quickly enough. Network or 
software delays of a second or two would add that much 
dead time till the subscriber hears a dial tone after pick- 

20 ing up the handset when placing a call, and longer 
delays (given the control networks and switching appa- 
ratus currently used by cellular providers) would be 
common. In the present milieu, such delays are unac- 
ceptable. 

25 [0007] Public key cryptography provides another 
standard class of ways for solving authentication prob- 
lems. Generally speaking, each mobile station would be 
provided with a "public key certificate " of identity, 
signed by the public key of the service provider, stating 

so that the mobile station is a legitimate customer of the 
service provider. In addition, each mobile would also be 
given secret data (private keys) which it can use, 
together with the certificate, to prove to third parties 
(such as the serving system) that it is a legitimate cus- 

35 tomer. 

[0008] For example, service provider could have a pair 
of RSA keys, (F,G), with F private and G public. The 
service provider could supply each mobile with its own 
pair (D,E) of RSA keys, together with F(E) (the encryp- 

40 tion of the mobile's public key E using the provider's pri- 
vate key F). Then a mobile asserts its identity by 
send\nQ(E,F(E)) to the serving system. The serving 
system applies G to F(E) to obtain £. The serving sys- 
tem generates a challenge X, encrypts it with the 

45 mobile's public key E to obtain E(X) which it sends to 
the mobile. The mobile applies its private key D to E(X) 
to obtain X, which it sends back to the server in the 
clear as a response 

[0009] Although some variations on this theme involve 
so less computation or data transmission than others, no 
public key authentication scheme yet exists which is effi- 
ciently executable in less than a second's time on the 
sort of hardware currently used in cellular telephones. 
Even though network connectivity between the serving 
55 and home systems is not needed at the moment of 
authentication, as it is in the classical approach, the 
same time constraints which rule out the classical 
approach also rule out the public key approach. 
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[0010] Another technique is proposed by R.M Need- 
ham and M.D. Schroeder in Using Encryption for 
Authentication in Large Computer Networks. Comm. of 
the ACM. Vol. 21, No. 12, 993-999 (Dec. 1978). In brief, 
the Needham-Schroeder technique requires that a third. 5 
trusted, party (AS) should serve as an authentication 
server which distributes session keys to the prospective 
parties (A and B) who are attempting to establish 
secure communications. The protocol is as follows: 
when party A wishes to communicate with party 8, it w 
sends to authentication server AS his own name, the 
name of party B and a transaction identifier. Server AS 
returns the name of party B, a session key, the transac- 
tion identifier and a message encrypted with B's key. All 
that information is encrypted with A's key. Party A 15 
receives the information, decrypts it, selects the portion 
that is encrypted with B's key and forwards that portion 
to party B. Party B decrypts the received messages and 
finds in it the name of party A and the session key. A last 
check (to prevent "replays") is made by party B issuing 20 
a challenge to party A and party A replies, using the 
session key. A match found at party B authenticates the 
identity of party A. 

[001 1 ] EP- A-0354770 discloses a method of encrypt- 
ing a 64 bit key with a 128 bit encrypting key and a 84 bit 25 
control vector (or 1 28 bit control vector). A control vector 
is a compact data structure for defining the usage 
attribute of cryptographic keys from one network device 
to another. In EP-A-0354770, when the control vector is 
of an arbitrary length, it is first operated on using a hash 30 
function which maps a control vector having many bits 
into a hash value having fewer bits (such as 128 bits). 
Thus, hashing is used in an encryption process to 
reduce the length of a control vector of arbitrary length 
associated with a cryptographic key. 35 
[001 2] EP- A-0 1 05553 discloses a device for a multiple 
enciphenment of a data signal wherein the chance of 
transmitting cleartext is reduced by a moduto-2 N addi- 
tion. Thus, the same key as applied to a first encipher- 
ing device may be supplied to the second enciphering 40 
device, even if the second enciphering device is mistak- 
enly set to decipher. 

[001 3] According to one aspect of this invention there 
is provided a method as claimed in claim 1 . 
[0014] According to another aspect of this invention 45 
there is provided a method as claimed in claim 2. 
[0015] According to a further aspect of this invention 
there is provided apparatus as claimed in claim 9. 
[0016] According to yet another aspect of this inven- 
tion there is provided apparatus as claimed in claim 1 0. so 
[0017] Messages that are encrypted are encrypted 
through there successive transformations that yield a 
self inverting encryption process. In the first transforma- 
tion a randomized constant is added to each word of the 
message to be encrypted. The constant is related to a ss 
hashed string which comprises a portion of the shared 
secret data field and which is hashed with the hash 
function employed when deriving the shared secret data 



field. In the second transformation the set of words that 
make up the message (as modified by the first transfor- 
mation) are divided into a first half and a second half, 
and the first half is modified based in part on the second 
half. In the third transformation a randomized constant 
is subtracted from each word of the message (as modi- 
fied by the second transformation) to be encrypted. 
Again, the constant is related to a hashed string which 
comprises a portion of the shared secret data field and 
which is hashed with the hash function employed when 
deriving the shared secret data field. 

Brief Description of the Drawing 
[0018] 

FIG. 1 illustrates an arrangement of network provid- 
ers and cellular radio providers interconnected for 
service to both stationary and mobile telephones 
and the like; 

FIG. 2 depicts the process for directing the creation 
of a shared secret data field and the verification of 
same; 

FIG. 3 depicts the registration process in a visited 
base station, for example, when the mobile unit first 
enters the cell serviced by the base station; 
FIG. 4 shows the elements that are concatenated 
and hashed to create the shared secret data; 
FIG. 5 shows the elements that are concatenated 
and hashed to create the verification sequence; 
FIG. 6 shows the elements that are concatenated 
and hashed to create the registration sequence 
when the mobile unit goes on the air; 
FIG. 7 shows the elements that are concatenated 
and hashed to create the call initiation sequence;: 
FIG. 8 depicts the speech encryption and decryp- 
tion process in a mobile unit; 
FIG. 9 shows the elements that are concatenated 
and hashed to create the re-authentication 
sequence; 

FIG. 10 illustrates the three stage process for 
encrypting and decrypting selected control and 
data messages; and 

FIG. 11 presents a block diagram of a mobile unit's 
hardware. 

Detailed Description 

[0019] The security needs of cellular telephony may 
be met with an arrangement that depends on a shared 
secret data field. The mobile unit maintains a secret that 
is assigned to it by the service provider, and generates 
a shared secret data field from that secret. The service 
provider also generates the shared secret data field. 
When a mobile unit enters the cell of a base station, it 
identifies itself to the base station, and supplies to the 
base station a hashed authentication string. The base 
station consults with the provider, and if it is determined 
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that the mobile unit is a bona fide unit, the provider sup- 
plies the base station with the shared secret data field. 
Thereafter the mobile unit communicates with the base 
station with the assistance of authentication processes 
that are carried out between the mobile unit and the $ 
base station, using the shared secret data f ield. 
[0020] One feature of this arrangement is that the var- 
ious base stations do not have access to the secret that 
was installed in the mobile unit by the provider. And, 
only the base stations which successfully interacted 10 
with the mobile unit have the shared secret data field. 
[0021] On the other rend, the more time consuming 
authentication process that utilizes the secret, which 
takes place only through involvement of the provider, 
occurs only infrequently, when a mobile unit first enters is 
the cell (or when it is suspected that the shared secret 
data field has been compromised). 
[0022] Both the mobile unit and the base station 
employ a portion of the shared secret data field to ere* 
ate a pair of encryption keys. The first encryption key in 20 
the pair is used by the mobile unit to encrypt speech 
and is used by the base station to decrypt speech. The 
second encryption key in the pair is used by the base 
station to encrypt speech and is used by the mobile unit 
to decrypt speech. 25 
[0023] The same hash function that is used to create 
the shared secret data field is used to create the pair of 
encryption keys. 

[0024] In a mobile cellular telephone arrangement 
there are many mobile telephones, a much smaller so 
number of cellular radio providers (with each provider 
having one or more base stations) and one or more 
switching network providers (common carriers). The 
cellular radio providers and the common carriers com- 
bine to allow a cellular telephone subscriber to commu- 35 
nicate with both cellular and non-cellular telephone 
subscribers. This arrangement is depicted diagrammat- 
ically in FIG. 1, where common carrier I and common 
carrier II combine to form a switching network compris- 
ing switches 10-14. Stationary units 20 and 21 are con- 40 
nected to switch 10, mobile units 22 and 23 are free to 
roam, and base stations 30-40 are connected to 
switches 10*14. Base stations 30-34 belong to provider 
1, base stations 35 and 36 belong to provider 2, base 
station 37 belongs to provider 4, and base stations 38- as 
40 belong to provider 3. For purposes of this disclosure, 
a base station is synonymous with a cell wherein one or 
more transmitters are found A collection of cells makes 
up a cellular geographic service area (CGSA) such as, 
for example, base stations 30, 31 , and 32 in FIG. 1 . so 
[0025] Each mobile unit has an electronic serial 
number (ESN) that is unique to that unit. The ESN 
number is installed in the unit by the manufacturer, at 
the time the unit is built (for example, in a read-only- 
memory), and it is unalterable. It is accessible, however. 55 
[0026] When a customer desires to establish a service 
account for a mobile unit that the customer owns or 
leases, the service provider assigns to the customer a 



phone number (MINI designation), an area code desig- 
nation (MIN2 designation) and a "secret" (A-key). The 
MINI and MIN2 designations are associated with a 
given CGSA of the provider and all base stations in the 
FIG. 1 arrangement can identify the CGSA to which a 
particular MIN2 and MINI pair belongs. The A-key is 
known only to the customer's equipment and to the pro- 
vider's CGSA processor (not explicitly shown in FIG. 1). 
The CGSA processor maintains the unit's ESN, A-key, 
MINI and MIN2 designations and whatever other infor- 
mation the service provider may wish to have. 
[0027] With the MINI and the MIN2 designations and 
the A-key installed, the customer's unit is initialized for 
service when the CGSA processor sends to the mobile 
unit a special random sequence (RANDSSD), and a 
directive to create a "shared secret data" (SSD) field. 
The CGSA sends the RANDSSD, and the SSD field 
generation directive, through the base station of the cell 
where the mobile unit is present. Creation of the SSD 
field follows the protocol described in FIG. 2. 
[0028] As an aside, in the FIG. 1 arrangement each 
base station broadcasts information to all units within its 
cell on some preassigned frequency channel (broad- 
cast band). In addition, it maintains two way communi- 
cations with each mobile unit over a mutually agreed, 
(temporarily) dedicated channel. The manner by which 
the base station and the mobile unit agree on the com- 
munications channel is unimportant to this invention, 
and hence it is not described in detail herein. One 
approach may be, for example, for the mobile unit to 
scan all channels and select an empty one. ft would 
then send to the base station its MIN2 and MINI desig- 
nations (either in plaintext form or enciphered with a 
public key), permitting the base station to initiate an 
authentication process. Once authenticated communi- 
cation is established, if necessary, the base station can 
direct the mobile station to switch to another channel. 
[0029] As described in greater detail hereinafter, in the 
course of establishing and maintaining a call on a 
mobile telephony system of this invention, an authenti- 
cation process may be carried out a number of times 
throughout the conversation. Therefore, the authentica- 
tion process employed should be relatively secure and 
simple to implement. To simplify the design and lower 
the implementation cost, both the mobile unit and the 
base station should use the same process. 
[0030] Many authentication processes use a hashing 
function, or a one-way function, to implement the proc- 
esses. A hashing function performs a many-to-one 
mapping which converts a "secret" to a signature. The 
following descrfoes one hashing function that is simple, 
fast, effective, and flexible. It is quite suitable for the 
authentication processes of this invention but of 
course, other hashing functions can be used. 

The Jumble Process 

[0031 ] The Jumble process can create a "signature" of 
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a block of d "secret" data words b(i), with the aid of a k- 
word key x(j), where d. i. j, and k are integers. The "sig- 
nature" creation process is carried out on one data word 
at a time. For purposes of this description, the words on 
which the Jumble process operates are 8 bits long (pro- 
viding a range from 0 to 255, inclusive), but any other 
word size can be employed. The "secret" data block 
length is incorporated in the saw tooth function 
Sd(t) = tiOT (tetecM 
s^t) * 2d-2-t for dzt&d-3, and 
s d (t) = s d (t+2d-2)iora\\\. 

This function is used in the following process where, 
starting with z=0 and i=0, for successively increasing 
integer values of i in the range 0£6d - 5, 

a) bfecrfi)) is updated by: 
bfSdfOhbfSdf'l) + xOh) + SBOX(z) mod 256 
where 

* i k is i modulo k, SBOX(z) =y + [y/2048] mod 
256. 

* y=(z©16)(z+111)(z), 

* fy/2048] is the integer portion of y divided by 
2048, and © represents the bit-wise Exdusive- 
OR function; and 

b) z is updated with; z = z -fbfs^i)) mod 256. 

[0032] ft may be appreciated that in the process just 
described there is no real distinction between the data 
and the key. Therefore, any string that is used for 
authentication can have a portion thereof used as a key 
for the above process. Conversely, the data words con- 
catenated with the key can be considered to be the 
"authentication string". It may also be noted that each 
word b(i), where Os/sd is hashed individually, one at a 
time, which makes the hashing In place". No additional 
buffers are needed for the hashing process perse. 
[0033] The process just described can be easily car- 
ried out with a very basic conventional processor, since 
the only operations required are: shifting (to perform the 
division by 2048), truncation (to perform the [ ] function 
and the mod 256 function), addition, multiplication, and 
bit-wise Exdusive-OR functions. 
[0034] Returning to the SSD field initialization process 
of FIG. 2, when a RANDSSD sequence and the direc- 
tive to create a new SSD field (arrow 100 in FIG. 2) are 
received by the mobile station, a new SSD field is gen- 
erated in accordance with FIG. 4. The mobile unit con- 
catenates the ESN designation, the A-key, and the 
RANDSSD sequence to form an authentication string. 
The authentication string is applied to Jumble block 101 
(described above) which outputs the SSD field. The 
SSD field comprises two subfields: the SSD-A subfteld 
which is used to support authentication procedures, and 
the SSD-B subfield which is used to support voice pri- 
vacy procedures and encryption of some signaling mes- 
sages (described below). It may be noted that a larger 



number of SSD subfields can be created; either by sub- 
dividing the SSD field formed as described above or by 
first enlarging the SSD field. To increase the number of 
bits in the SSD field one needs only to start with a larger 

5 number of data bits. As will be appreciated from the dis- 
closure below, that is not a challenging requirement. 
[0035] The home CGSA processor knows the ESN 
and the A-key of the mobile unit to which the received 
MIN2 and MINI designations were assigned. It also 

10 knows the RANDSSD sequence that it sent Therefore, 
the home CGSA processor is in position to duplicate the 
SSD field creation process of the mobile unit. By con- 
catenating the RANDSSD signal with the ESN designa- 
tion and the A-key, and with the above-described 

is Jumble process, the CGSA processor creates a new 
SSD field and partitions it into SSD-A and SSD-B sub- 
fields. However, the SSD field created in the home 
CGSA processor must be verified. 
[0036] In accordance with FIG. 2, verification of the 

20 created SSD field is initiated by the mobile unit. The 
mobile unit generates a random challenge sequence 
(RANDBS sequence) in block 102 and sends it to the 
home CGSA processor through the serving base sta- 
tion (the base station that serves the area in which the 

25 mobile unit is located). In accordance with FIG. 5. the 
home CGSA processor concatenates the challenge 
RANDBS sequence, the ESN of the mobile unit, the 
MINI designation of the mobile unit, and the newly cre- 
ated SSD-A to form an authentication string which is 

30 applied to the Jumble process. In this instance, the Jum- 
ble process creates a hashed authentication signal 
AUTHBS which is sent to the mobile station. The mobile 
station also combines the RANDBS sequence, its ESN 
designation, its MINI designation and the newly created 

35 SSD-A to form an authentication string that is applied to 
the Jumble process. The mobile station compares the 
result of its Jumble process to the hashed authentica- 
tion signal (AUTHBS) received from the home CGSA 
processor. If the comparison step (block 104) indicates 

40 a match, the mobile station sends a confirmation mes- 
sage to the home CGSA processor indicating the suc- 
cess of the update in the SSD field Otherwise, the 
mobile station reports on the failure of the match com- 
parison. 

45 [0037] Having initialized the mobile station, the SSD 
field remains in force until the home CGSA processor 
directs the creation of a new SSD field. That can occur, 
for example, rf there is reason to believe that the SSD 
field has been compromised. At such a time, the home 

so CGSA processor sends another RANDSSD sequence 
to the mobile unit, and a directive to create a new SSD 
field. 

[0038] As mentioned above, in cellular telephony each 
base station broadcasts various informational signals 
55 for the benefit of all of the mobile units in its cell. In 
accordance with FIG. 1 management, one of the signals 
broadcast by the base station is a random or pseudor- 
andom sequence (RAND sequence). The RAND 
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sequence is used by various authentication processes 
to randomize the signals that are created and sent by 
the mobile units. Of course, the RAND sequence must 
be changed periodically to prevent record/playback 
attacks. One approach for selecting the latency period 5 
of a RAND signal is to make it smaller than the expected 
duration of an average call. Consequently, a mobile unit 
in general, is caused to use different RAND signals on 
successive calls. 

[0039] As soon as the mobile unll detects that it enters 10 
a cell it registers itself with the base unit so that it can be 
authenticated. Only when a mobile unit is authenticated 
can it initiate calls, or have the base station direct calls 
to it. 

[0040] When the mobile unit begins the registration 15 
process it accepts the RAND sequence broadcast by 
the base station and, in turn, it sends to the serving 
base station its MINI and MIN2 designations and its 
ESN sequence (in plaintext) as well as a hashed 
authentication string. According to FIG. 6, the hashed 20 
authentication string is derived by concatenating the 
RAND sequence, the ESN sequence, the MINI desig- 
nation and the SSD-A subf ield to form an authentication 
string; and applying the authentication string to the 
Jumble process. The hashed authentication string at 25 
the output of the Jumble process is sent to the serving 
base station together with the ESN sequence. 
[0041 ] In some embodiments, all or part of the RAND 
sequence used by the mobile unit is also sent to the 
serving base station (together with the ESN sequence so 
and the MINI and MIN2 designations), because the 
possibility exists that the RAND value has changed by 
the time the hashed authentication string reaches the 
base station. 

[0042] On the base station side, the serving base sta- 35 
tion knows the RAND sequence (because the base sta- 
tion created it) and it also knows the ESN and the MIN2 
and MINI designations with which the mobile unit iden- 
tified itself. But the serving base station does not know 
the SSD field of the mobile unit. What it does know is 40 
the identity of the mobile unit's home CGSA processor 
(from the MINI and Ml N2 designations). Consequently, 
it proceeds with the authentication process by sending 
to the mobile unit's home CGSA processor the MINI 
designation, the ESN sequence, the hashed authentica- 45 
tion string that the mobile unit created and transmitted, 
and the RAND sequence that the serving base station 
broadcast (and which the mobile unit incorporated in 
the created hashed authentication string). From the 
mobile unit's MINI designation and ESN sequence the so 
home CGSA processor knows the mobile unit's identity 
and, hence, the mobile unit's SSD-A subf ield. Therefore 
it can proceed to create an authentication string just as 
the mobile unit did, and apply it to the Jumble process 
(FIG. 6). tf the hashed authentication string created by ss 
the mobile unit's home CGSA processor matches the 
hashed authentication string created in the mobile unit 
and supplied by the serving base station, then verifica- 



tion is deemed successful. In such a case, the home 
CGSA processor supplies the serving base station with 
the unit's SSD field. As an aside, to keep the ESN des- 
ignation and the SSD field secure, the communication 
between the base stations and the CGSA processor is 
carried in encrypted form. 

[0043] (n the above-described protocol, the mobile 
unit's CGSA processor attempts to verify the validity of 
the hashed authentication string. When the verification 
is unsuccessful, the CGSA processor informs the serv- 
ing base station that the mobile unit was not authenti- 
cated and may suggest that either the contact with the 
mobile unit be dropped or that the mobile unit be 
directed to retry the registration process. To retry the 
registration process the home CGSA processor can 
either continue participation in the authentication proc- 
ess or it can delegate it to the serving base station. In 
the latter alternative, the serving base station informs 
the home CGSA processor of the ESN sequence and 
the MINI designation of the mobile unit, and the CGSA 
processor responds with the SSD field of the mobile unit 
and the RANDSSD with which the SSD field was cre- 
ated. Authentication, in the sense of creating a hashed 
authentication string and comparing it to the hashed 
authentication string sent by the mobile unit, is then car- 
ried out by the serving base station. A retry directive can 
then be carried out without the home CGSA process by 
the serving station sending the RANDSSD to the mobile 
unit. This "registration" protocol is depicted in FIG. 3. 
[0044] Once the mobile unit has been "registered" at 
the serving base station (via the above-described proc- 
ess) the serving base station possesses the ESN and 
the SSD field of the mobile unit, and subsequent 
authentication processes in that cell can proceed in the 
serving base station without reference to the home 
CGSA processor -except one. Whenever, for any rea- 
son, it is desirable to alter the SSD field, communication 
is effectively between the home CGSA processor and 
the mobile unit; and the serving base station acts only 
as a conduit for this communication. That is because 
creation of a new SSD field requires an access to the 
secret A-key, and access to the A-key is not granted to 
anyone by the CGSA processor. Accordingly, when a 
new SSD field is to be created and the mobile unit is not 
in the area of the home CGSA, the following occurs: 

• the home CGSA processor creates a RANDSSD 
sequence and alters the SSD field based on that 
RANDSSD sequence, 

• the home CGSA processor supplies the serving 
base station with the RANDSSD sequence and the 
newly created SSD field, 

• the serving base station directs the mobile unit to 
alter its SSD field and provides the mobile unit with 
the RANDSSD sequence, 

• the mobile unit alters the SSD field and sends a 
challenge to the serving base station. 

• the serving base station creates the AUTHBS string 
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(described above) and sends it to the mobile unit, 
and 

• the mobile unit verifies the AUTHBS string and 
informs the serving base station that both the 
mobile unit and the serving base station have the s 
same SSD fields. 

[0045] Having been registered by the serving base 
station, the mobile unit can initiate calls with an authen- 
tication process as depicted in FIG. 7. The call initiation 
sequence concatenates signals RAND, ESN, SSD-A 
and at least some of the called party's identification 
(phone) number (MIN3 in FIG. 7). The concatenated 
signals are applied to the Jumble process to develop a 
hashed authentication sequence that can be verified by 
the serving base station. Of course, to permit verifica- 
tion at the serving base station, the called party's iden- 
tification number must also be transmitted in a manner 
that can be received by the base station (and, as before, 
perhaps a portion of the RAND signal), i.e., in plaintext. 
Once the authentication sequence is verified, the base 
station can process the call and make the connection to 
the called party. 

[0046] The protocol for connecting to a mobile unit 
when it is a "called party" follows the registration proto- 
col of FIG. 6. That is, the serving base station requests 
the called mobile station to send an authentication 
sequence created from the RAND sequence. ESN des- 
ignation, MINI designation and SSD-A subfield. When 
authentication occurs, a path is set up between the 
base station and the called party mobile unit, for the lat- 
ter to receive data originating from, and send data to, 
the mobile unit (or stationary unit) that originated the 
call. 

[0047] It should be noted that all of the authentications 
described above are effective only (in the sense of 
being verified) with respect to the authenticated pack- 
ets, or strings, themselves. To enhance security at other 
times, three different additional security measures can 
be employed. They are speech encryption, occasional 
re-authentication, and control message encryption. 

Speech Encryption 

[0048] The speech signal is encrypted by first convert- 
ing it to digital form. This can be accomplished in any 
number of conventional ways, with or without compres- 
sion, and with or without error correction codes. The bits 
of the digital signals are divided into successive groups 
of Kbits and each of the groups is encrypted. More spe- 
cifically, in both the mobile unit and the base station the 
RAND sequence, the ESN and MINI designations, and 
the SSD-B subfield are concatenated and applied to the 
Jumble process. The Jumble process produces 2K bits 
and those bits are divided into groups A and B of K bits 
each. In the mobile unit group A is used for encrypting 
outgoing speech, and group B is used for decrypting 
incoming speech. Conversely in the base station, group 



A is used for decrypting incoming speech and group B 
is used for encrypting outgoing speech. FIG. 8 depicts 
the speech encryption and decryption process. 

Re-authentication 

[0049] At the base station's pleasure, a re-authentica- 
tion process is initiated to confirm that the mobile unit 
which the base station believes is active, is, in fact, the 
mobile unit that was authorized to be active. This is 
accomplished by the base station requesting the mobile 
unit to send a hashed authentication sequence in 
accordance with FIG. 9. With each such request, the 
base station sends a special (RANDU) sequence. The 
mobile unit creates the hashed authentication sequence 
by concatenating the RANDU sequence, the area code 
MIN2 designation of the mobile unit, the ESN designa- 
tion, the MINI designation and the SSD-A designation. 
The concatenated string is applied to the Jumble proc- 
ess, and the resulting hashed authentication string is 
sent to the base station. The base station, at this point, 
is in a position to verify that the hashed authentication 
string is valid. 

Control Message Cryptosystem 

[0050] The third security measure deals with ensuring 
the privacy of control messages. In the course of an 
established call, various circumstances may arise that 
call for the transmission of control messages. In some 
situations, the control messages can significantly and 
adversely affect either the mobile station that originated 
the call or the base station. For that reason, it is desira- 
ble to encipher (reasonably well) some types of control 
messages sent while the conversation is in progress. 
Alternately, selected fields of chosen message types 
may be encrypted. This includes "data" control mes- 
sages such as credit card numbers, and call redefining 
control messages. This is accomplished with the Con- 
trol Message Cryptosystem. 

[0051] The Control Message Cryptosystem (CMC) is 
a symmetric key cryptosystem that has the following 
properties: 

1) it is relatively secure, 

2) it runs efficiently on an eight-bit computer, and 

3) it is serf-inverting (i.e., involutory). 

[0052] The cryptographic key for CMC is an array, 
TBOX[z], of 256 bytes which is derived from a "secret" 
(e.g., SSD-B subfield) as follows: 

1. for each z in the range 0 < 256, set TBOX[z] 
=z. and 

2. apply the array TBOX[z] and the secret (SSD-B) 
to the Jumble process. 

[0053] This is essentially what is depicted in elements 
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301, 302 and 303 in FIG. 8 (except that the number of 
bits in FIG. 8 is 2K rather than 255 bytes). 
[0054] Once the key is derived, CMC can be used to 
encrypt and decrypt control messages. Alternately, the 
key can be derived "on the fly" each rime the key is used 
CMC has the capability to encipher variable length mes- 
sages of two or more bytes. CMC's operation is self- 
inverting, reciprocal, or involutory. That is, precisely the 
same operations are applied to the ciphertext to yield 
plaintext as are applied to plaintext to yield ciphertext. 
An involutory function is a function which is its own 
inverse (&g„ x = p, x=7(T(x'))) . Thus, a two-fold 
application of the CMC operations would leave the data 
unchanged. 

[0055] In the description that follows it is assumed that 
for the encryption process (and the decryption process) 
the plaintext (or the ciphertext) resides in a data buffer 
and that CMC operates on the contents of that data 
buffer such that the final contents of the data buffer con- 
stitute the ciphertext (or plaintext). That means that ele- 
ments 502 and 504 in FIG. 10 can be one and the same 
register. 

[0056] CMC is comprised of three successive stages, 
each of which alters each byte string in the data buffer. 
Note that both CMC, as a whole, and the second con- 
stituent stage of CMC are an involution. When the data 
buffer is d bytes long and each byte is designated by b 
(/), for / in the range Ozfed: 

I. The first stage of CMC is as follows: 

1 . Initialize a variable z to zero, 

2. For successive integer values of / in the 
range 0£/£rf 

a. form a variable q by:q = z® low order 
byte of /', where © is the bitwise boolean 
Exclusive-OR operator, 

b. form variable k by:k =TBOX[q] t 

c. update b(i) with: b(i)=b(i)+k mod 256, 
and 

d. update z with: z=b(i)+z mod 256. 

II. The second stage of CMC is involutory and com- 
prises: 

1. for all values of / in the range 0£/£(cM)/2: 
b(i)=b(i)&(b(d^ -i) OR 1), where OR is the bit- 
wise boolean OR operator. 

I L CMC's final stage is the decryption that is inverse 
of the first stage: 

1 . Initialize a variable z to zero, 
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2. For successive integer values of / in the 
range Qzted 

a. form a variable q by: q=z® low order 

5 byte of /. 

b. form variable k by* =TBOX[q], 

c. update z with: z=b(i)+z mod 256, 

w 

d. update b(i) with: b(i)=b(Q-k mod 256. 

The three stage process employed to encrypt and 
decrypt selected control and data messages is illus- 

15 trated in FIG. 10. In one preferred embodiment the first 
stage and the third stage are an autokey encryption and 
decryption, respectively. An autokey system is a time- 
varying system where the output of the system is used 
to affect the subsequent output of the system For further 

20 reference regarding cryptography and autokey systems, 
see W. Drffie and M.E. Hellman, Privacy and Authenti- 
cation: An Introduction to Cryp to graphy. Proc. of the 
I.E.E.E., Vol. 67, No. 3, March 1979. 

6 Mobile Unit Apparatus 

[0057] FIG. 1 1 presents a block diagram of a mobile 
unit hardware. It comprises a control block 200 which 
includes (though not illustrated) the key pad of a cellular 

30 telephone, the hand set and the unit's power control 
switch. Control block 200 is connected to processor 21 0 
which controls the workings of the mobile unit, such as 
converting speech signals to digital representation, 
incorporating error correction codes, encrypting the out- 

35 going digital speech signals, decrypting incoming 
speech signals, forming and encrypting (as well as 
decrypting) various control messages, etc. Block 210 is 
coupled to block 220 which comprises the bulk of the 
circuitry associated with transmission and reception of 

40 signals. Blocks 200-220 are basically conventional 
blocks, performing the functions that are currently per- 
formed by commercial mobile telephone units (though 
the commercial units do not carry out encrypting and 
decrypting). To incorporate the authentication and 

45 encryption processes disclosed herein, the apparatus 
of FIG. 1 1 also includes a block 240 which comprises a 
number of registers coupled to processor 210, and a 
"personality" module 230 that is also coupled to proces- 
sor 210. Module 230 may be part of the physical struc- 

50 ture of a mobile telephone unit or it may be a removable 
(and pluggable) module that is coupled to the mobile tel- 
ephone unit through a socket interface. It may also be 
coupled to processor 210 through an electromagnetic 
path, or connection. In short, module 230 may be, for 

55 example, a "smart card". 

[0058] Module 230 comprises a Jumble processor 
231 and a number of registers associated with proces- 
sor 231. Alternately, in another preferred embodiment, 



8 



15 



EP0 532 226 B1 



16 



only the A- Key is in the module 230. A number of advan- 
tages accrue from installing (and maintaining) the A- 
key and the MINI and MIN2 designations in the regis- 
ters of module 230, rather than in the registers of block 
240. It is also advantageous to store the developed SSD 
field in the registers of module 230. It is further advanta- 
geous include among the registers of module 230 any 
needed working registers for carrying out the processes 
of processor 231. By including these elements in mod- 
ule 230. the user may carry the module on his person to 
use it with different mobile units (e.g. "extension" mobile 
units) and have none of the sensitive information be 
stored outside the module. Of course, mobile units may 
be produced with module 230 being an integral and per- 
manent part of the unit. In such embodiments, Jumble 
processor 231 may be merged within processor 210. 
Block 240 stores the unit's ESN designation and the 
various RAND sequences that are received. 
[0059] Although the above disclosure is couched in 
terms of subscriber authentication in a cellular teleph- 
ony environment, and that includes personal communi- 
cation networks which will serve portable wallet sized 
handsets, it is clear that the principles of this invention 
have applicability in other environments where the com- 
munication is perceived to be not sufficiently secure and 
where impersonation is a potential problem. This 
includes computer networks, for example. 

Claims 

1 . A method for encrypting a set of message signals 
for transmission in a communication system. 
CHARACTERIZED BY: 

creating a set of key signals by hashing a set of 
first signals and a set of second signals; 
encrypting (505) said set of message signals 
based on a subset of said set of key signals to 
form a set of first intermediate signals; 
altering said set of first intermediate signals in 
accordance with an unkeyed involutory trans- 
formation (507) which modifies a first subset of 
said set of first intermediate signals based on a 
second subset of said first intermediate signals 
to form a set of second intermediate signals; 
and 

decrypting (511) said set of second intermedi- 
ate signals in accordance with a transformation 
which is the inverse of said step of encrypting 
to form a set of encrypted message signals 
(504) to be transmitted in said communication 
system. 

2. A method for decrypting a set of message signals 
received in a communication system, CHARAC- 
TERIZED BY: 

creating a set of key signals by hashing a set of 



first signals and a set of second signals; 
encrypting (505) said set of message signals 
based on a subset of said set 
of key signals to form a set of first intermediate 

5 signals; 

altering said set of first intermediate signals 
with an unkeyed involutory transformation 
(507) which modifies a first subset of said set of 
first intermediate signals based on a second 

10 subset of said first intermediate signals to form 

a set of second intermediate signals; and 
decrypting (51 1) said set of second intermedi- 
ate signals with a transformation which is the 
inverse of said step of encrypting to form a set 

is of decrypted message signals (504). 

3. A method as claimed in claim 1. comprising the 
step of receiving the set of first signals. 

20 4. A method as claimed in claim 2. comprising the 
step of generating the set of first signals. 

5. A method as claimed in claim 1. comprising the 
step of generating said set of message signals. 

25 

6. A method as claimed in claim 2, comprising the 
step of acting on said set of decrypted message 
signals. 

30 7. A method as claimed in claim 1, comprising the 
step of transmitting said set of encrypted message 
signals. 

8. A method as claimed in claim 2, comprising the 
35 step of receiving said set of message signals. 

9. Apparatus for encrypting a set of message signals 
for transmission in a communication system. 
CHARACTERIZED BY: 

40 

means for creating a set of key signals by hash- 
ing a set of first signals and a set of second sig- 
nals; 

means (501) for encrypting said set of mes- 
45 sage signals based on a subset of said set of 

key signals to form a set of first intermediate 
signals; 

means (509) for altering said set of first inter- 
mediate signals in accordance with an unkeyed 

so involutory transformation which modifies a first 

subset of said set of first intermediate signals 
based on a second subset of said first interme- 
diate signals to form a set of second intermedi- 
ate signals; and 

55 means (513) for decrypting said set of second 

intermediate signals in accordance with a 
transformation which is the inverse of said step 
encrypting to form a set of encrypted message 
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signals to be transmitted in said communica- 
tions system. 

10. Apparatus for decrypting a set of message signals 
received in a communication system, CHARAC- s 
TERIZED BY: 

means for creating a set of key signals by hash- 
ing a set of first signals and a set of second sig- 
nals; 10 
means (501) for encrypting said set of mes- 
sage signals based on a subset of said set of 
key signals to form a set of first intermediate 
signals; 

means (509) for altering said set of first inter- is 
mediate signals with an unkeyed involutory 
transformation which modifies a first subset of 
said set of first intermediate signals based on a 
second subset of said first intermediate signals 
to form a set of second intermediate signals; 20 
and 

means (513) for decrypting said set of second 
intermediate signals with a transformation 
which is the inverse of said step of encrypting 
to form a set of decrypted message signals. 25 

1 1 . Apparatus as claimed in claim 9. comprising means 
for receiving the set of first signals. 

12. Apparatus as claimed in claim 10. comprising 30 
means for generating the set of first signals. 

1 3. Apparatus as claimed in claim 9, comprising means 
for generating said set of message signals. 

35 

14. Apparatus as claimed in claim 10, comprising 
means for acting on said set of decrypted message 
signals. 

15. Apparatus as claimed in claim 9, comprising means 40 
for transmitting said set of encrypted message sig- 
nals. 



16. Apparatus as claimed in claim 10, comprising 
means for receiving said set of message signals. 

PaterrtansprOche 



45 



der Menge von SchlOsselsignalen zur Bildung 
einer Menge erster Zwischensignale; 
Verdndern der Menge erster Zwischensignale 
gemdB einer schlussellosen Involutionstrans- 
formation (507), die eine erste Teilmenge der 
Menge erster Zwischensignale auf der Grund- 
lage einer zweiten Teilmenge der ersten Zwi- 
schensignale modifiziert, urn eine Menge 
zweiter Zwischensignale zu bilden; und 
Entschlusseln (511) der Menge zweiter Zwi- 
schensignale gerr&B einer Transformation, die 
die Umkehrung des Schritts des VerschlQs- 
selns ist, wodurch eine Menge verschlusserter 
Nachrichtensignale (504) gebildet wird, die in 
dem Kommunikationssystem Qbertragen wer- 
den soilen. 

Verfahren zum EntschlQsseln einer Menge von 
Nachrichtensignalen, die in einem Kommunikati- 
onssystem empfangen werden, gekennzeichnet 
durch: 

Erzeugen einer Menge von SchlOsselsignalen 
durch Hash-Verarbertung einer Menge erster 
Signal e und einer Menge zweiter Signal e; 
Verschlusseln (505) der Menge von Nachrich- 
tensignalen auf der Grundlage einer Teilmenge 
der Menge von SchlOsselsignalen zur Bildung 
einer Menge erster Zwischensignale; 
Verdndern der Menge erster Zwischensignale 
mit einer schlussellosen Irtvolutionstransforma- 
tion (507), die eine erste Teilmenge der Menge 
erster Zwischensignale auf der Grundlage 
einer zweiten Teilmenge der ersten Zwischen- 
signale modifiziert, um eine Menge zweiter 
Zwischensignale zu bilden; und 
Entschlusseln (511) der Menge zweiter Zwi- 
schensignale mit einer Transformation, die die 
Umkehrung des Schritts des Verschlusselns 
ist, wodurch eine Menge entschlusselter Nach- 
richtensignale (504) gebildet wird. 

Verfahren nach Anspruch 1, mit dem Schrrtt des 
Empfangens der Menge erster Signale. 

Verfahren nach Anspruch 2, mit dem Schrrtt des 
Erzeugens der Menge erster Signale. 



1. Verfahren zum Verschlusseln einer Menge von 
Nachrichtensignalen, die in einem Kommunikati- 
onssystem Qbertragen werden soilen, gekenn- 
zeichnet durch: 

Erzeugen einer Menge von SchlOsselsignalen 
durch Hash-Verarbeitung einer Menge erster 
Signale und einer Menge zweiter Signale; 
Verschlusseln (505) der Menge von Nachrich- 
tensignalen auf der Grundlage einer Teilmenge 



5. Verfahren nach Anspruch 1, mit dem Schrrtt des 
50 Erzeugens der Menge von Nachrichtensignalen. 

6. Verfahren nach Anspruch 2, mit dem Schrrtt des 
Bearbeitens der Menge errtschlussetter Nachrich- 
tensignale. 

55 

7. Verfahren nach Anspruch 1, mit dem Schrrtt des 
Sendens der Menge verschlusselter Nachrichtensi- 
gnale. 
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8. Veriahren nach Anspruch 2, mit dem Schritl des 
Empfangens der Menge von Nachrichtensignalen. 

9. Vorrichtung zum Verschlusseln einer Menge von 
Nachrichtensignalen, die in einem Kommunikati- 5 
onssystem Qbertragen werden solten, gekenn- 
zeichnet durch: 
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wird. 

11. Vorrichtung nach Anspruch 9. mit einem Mittel zum 
Empfangen der Menge erster Signale. 

12. Vorrichtung nach Anspruch 10, mit einem Mittel 
zum Erzeugen der Menge erster Signale. 



ein Mittel zum Erzeugen einer Menge von 
Schlusselsignalen durch Hash-Verarbeitung w 
einer Menge erster Signale und einer Menge 
zweiter Signale; 

ein Mittel (501) zum Verschlusseln der Menge 
von Nachrichtensignalen auf der Grundlage 
einer Teilmenge der Menge von SchlQsselsi- is 
gnalen zur Bildung einer Menge erster Zwi- 
schensignaie; 

ein Mittel (509) zum Verandem der Menge 
erster Zwischensignale gemaB einer schlussel- 
losen Involutionstransformation, die eine erste so 
Teilmenge der Menge erster Zwischensignale 
auf der Grundlage einer zwerten Teilmenge der 
ersten Zwischensignale modrfiziert, um eine 
Menge zweiter Zwischensignale zu bilden; und 
ein Mittel (513) zum Entschlusseln der Menge 25 
zweiter Zwischensignale gemaft einer Trans- 
formation, die die Umkehrung des Schritts des 
Verschlusselns ist, wodurch eine Menge ver- 
schlusserter Nachrichtensignale gebildet wird, 
die in dem Kommunikationssystem Qbertragen 30 
werden sollen. 

10. Vorrichtung zum Entschlusseln einer Menge von 
Nachrichtensignalen, die in einem Kommunikati- 
onssystem empfangen werden, gekennzeichnet 35 
durch: 

ein Mittel zum Erzeugen einer Menge von 
Schlusselsignalen durch Hash-Verarbeitung 
einer Menge erster Signale und einer Menge 40 
zweiter Signale; 

ein Mittel (501) zum Verschlusseln der Menge 
von Nachrichtensignalen auf der Grundlage 
einer Teilmenge der Menge von Schlusselsi- 
gnalen zur Bildung einer Menge erster Zwi- 45 
schensignale; 

ein Mittel (509) zum Verandem der Menge 
erster Zwischensignale mit einer schlussello- 
sen Involutionstransformation, die eine erste 
Teilmenge der Menge erster Zwischensignale so 
auf der Grundlage einer zwerten Teilmenge der 
ersten Zwischensignale modrfiziert, um eine 
Menge zweiter Zwischensignale zu bilden; und 
ein Mittel (513) zum Entschlusseln der Menge 
zweiter Zwischensignale mit einer Transforma- 55 
tion, die die Umkehrung des Schritts des Ver- 
schlusselns ist, wodurch eine Menge 
entschlusserter Nachrichtensignale gebildet 



13. Vorrichtung nach Anspruch 9, mit einem Mittel zum 
Erzeugen der Menge von Nachrichtensignalen. 

14. Vorrichtung nach Anspruch 10, mit einem Mittel 
zum Bearbeiten der Menge entschlusserter Nach- 
richtensignale. 

15. Vorrichtung nach Anspruch 9. mit einem Mittel zum 
Senden der Menge verschlusselter Nachrichtensi- 
gnale. 

16. Vorrichtung nach Anspruch 10, mit einem Mittel 
zum Empfangen der Menge von Nachrichtensigna- 
len. 

Revendications 

1 . Proc6de de chiffrage d'un ensemble de signaux de 
message en vue de leur transmission dans un sys- 
teme de communication, CARACTERISE PAR : 

la creation d'un ensemble de signaux c!6s en 
hachant un ensemble de premiers signaux et 
un ensemble de deuxi&mes signaux ; 
le chiffrage (505) dudit ensemble de signaux 
de message en fonction d'un sous-ensemble 
dudit ensemble de signaux cl6s en vue de for- 
mer un ensemble de premiers signaux interme- 
diaires ; 

la modification dudit ensemble de premiers 
signaux intermGdiaires conformement a une 
transformation involutive non manipulee (507) 
qui modrfie un premier sous-ensemble dudit 
ensemble de premiers signaux intermediates 
en fonction d'un deuxieme sous-ensemble des- 
dits premiers signaux intermGdiaires en vue de 
former un ensemble de deuxiemes signaux 
intermGdiaires ; et 

le dGchiffrage (51 1) dudit ensemble de deuxie- 
mes signaux intermGdiaires conformement a 
une transformation qui est (inverse de ladrte 
etape de chiffrage en vue de former un ensem- 
ble de signaux de message chiffres (504) a 
transmettre dans ledit systeme de communica- 
tion. 

2. ProcGdG de dGchiffrage d'un ensemble de signaux 
de message regus dans un systeme de communi- 
cation, CARACTERISE PAR : 
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la creation d'un ensemble de signaux cles en 
hachant un ensemble de premiers signaux et 
un ensemble de deuxiemes signaux ; 
le chiffrage (505) dudit ensemble de signaux 
de message en fonction d'un sous-ensemble 5 
dudit ensemble de signaux cles en vue de for- 
mer un ensemble de premiers signaux interme- 
diaires ; 

la modification dudit ensemble de premiers 
signaux intermediaires avec une transforma- w 
tion involutive non manipulee (507) qui modifie 
un premier sous-ensemble dudit ensemble de 
premiers signaux intermediaires en fonction 
d'un deuxieme sous-ensemble desdits pre- 
miers signaux intermediaires en vue de former is 
un ensemble de deuxiemes signaux interme- 
diaires ; et 

le dechiffrage (51 1) dudit ensemble de deuxie- 
mes signaux intermediaires avec une transfor- 
mation qui est I'inverse de ladite etape de 20 
chiffrage en vue de former un ensemble de 
signaux de message chiffres (504). 



3. Procede selon la revendication 1, comprenant 
I'etape de reception de I'ensembie de premiers 25 
signaux. 

4. Procede selon la revendication 2. comprenant 
I'etape de generation de i'ensembie de premiers 
signaux. 30 

5. Procede selon la revendication 1, comprenant 
I'etape de generation dudit ensemble de signaux de 
message. 

35 

6. Procede selon la revendication 2, comprenant 
I'etape d'irrtervention sur (edit ensemble de signaux 
de message dech'rffres. 

7. Procede selon la revendication 1, comprenant 40 
I'etape de transmission dudit ensemble de signaux 

de message chiffres. 

8. Procede selon la revendication 2, comprenant 
I'etape de reception dudit ensemble de signaux de 45 
message. 

9. Disposrtif de chiffrage d'un ensemble de signaux de 
message en vue de leur transmission dans un sys- 
teme de communication. CARACTERISE PAR : so 



vue de former un ensemble de premiers 
signaux intermediaires ; 
un moyen (509) pour modifier ledit ensemble 
de premiers signaux intermediaires conforme- 
ment k une transformation involutive non mani- 
pulee qui modifie un premier sous-ensemble 
dudit ensemble de premiers signaux interme- 
diaires en fonction d'un deuxieme sous-ensem- 
ble desdits premiers signaux intermediaires en 
vue de former un ensemble de deuxiemes 
signaux intermediaires ; et 
un moyen (513) pour dechiffrer ledit ensemble 
de deuxiemes signaux intermediaires confer- 
mement a une transformation qui est I'inverse 
de ladite etape de chiffrage en vue de former 
un ensemble de signaux de message chiffres a 
transmettre dans ledit systeme de communica- 
tion. 

1 0. Disposrtif de dechiffrage d'un ensemble de signaux 
de message regus dans un systeme de communi- 
cation, CARACTERISE PAR : 

un moyen pour creer un ensemble de signaux 
des en hachant un ensemble de premiers 
signaux et un ensemble de deuxiemes signaux 

un moyen (501) pour chiffrer ledit ensemble de 
signaux de message en fonction d'un sous- 
ensemble dudit ensemble de signaux cles en 
vue de former un ensemble de premiers 
signaux intermediaires ; 
un moyen (509) pour modifier ledit ensemble 
de premiers signaux intermediaires avec une 
transformation involutive non manipulee qui 
modifie un premier sous-ensemble dudit 
ensemble de premiers signaux intermediaires 
en fonction d'un deuxieme sous-ensemble des- 
dits premiers signaux intermediaires en vuede 
former un ensemble de deuxiemes signaux 
intermediaires ; et 

un moyen (513) pour dechiffrer ledit ensemble 
de deuxiemes signaux intermediaires avec une 
transformation qui est I'inverse de ladite etape 
de chiffrage en vue de former un ensemble de 
signaux de message chiffres. 

11. Disposrtif selon la revendication 9. comprenant un 
moyen pour recevoir I'ensembie de premiers 
signaux. 

12. Disposrtif selon la revendication 10, comprenant un 
moyen pour generer I'ensembie de premiers 
signaux. 

13. Disposrtif selon la revendication 9, comprenant un 
moyen pour generer ledit ensemble de signaux de 
message. 



un moyen pour creer un ensemble de signaux 
cles en hachant un ensemble de premiers 
signaux et un ensemble de deuxiemes signaux 
• 

un moyen (501) pour chiffrer ledit ensemble de 
signaux de message en fonction d'un sous- 
ensemble dudit ensemble de signaux cles en 
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14. Dispositif selon la revendication 10. comprenant un 
moyen pour irrtervenir sur I edit ensemble de 
signaux de message dechiffr^s. 

15. Dispositif selon la revendication 9, comprenant un s 
moyen pour transmettre (edit ensemble de signaux 
de message chiffr^s. 

16. Dispositif selon la revendication 10, comprenant un 
moyen pour recevoir ledit ensemble de signaux de w 
message. 
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FIG. 1 
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FIG. 4 
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FIG. 8 
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FIG. 10 
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